Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their Arsenal
Summary:
Trend Micro researchers have uncovered significant developments in the operations of the Agenda ransomware group, also known as Qilin, highlighting their use of the well-known SmokeLoader and a newly identified .NET-based loader named NETXLOADER. Active since July 2022, Agenda has continually evolved, recently transitioning its ransomware codebase from Go to Rust, and expanding its capabilities with features like remote execution, virtual environment propagation, and advanced evasion techniques. In Q1 2025, the group targeted organizations in the healthcare, technology, finance, and telecommunications sectors across the US, the Netherlands, Brazil, India, and the Philippines.
NETXLOADER, protected by .NET Reactor 6, plays a central role in delivering ransomware payloads. It is highly obfuscated, uses JIT hooking to load MSIL bytecode at runtime, and dynamically resolves Windows API calls to evade detection. Payloads are downloaded from disposable domains with benign-looking names and are renamed post-deployment using systematic naming conventions to avoid raising alarms. The loader decrypts and decompresses its payloads using AES and GZip, allocates memory, and executes the final malware, either Agenda ransomware or SmokeLoader directly in memory. SmokeLoader, once deployed, performs several stages of execution involving anti-debugging, anti-analysis, and sandbox evasion techniques. It checks for virtual environments, debugger presence, and specific regional settings to determine if it should proceed.
Security Officer Comments:
NETXLOADER and SmokeLoader work in tandem to execute Agenda ransomware attacks. The attackers utilize a reflective DLL loading technique, enabling the ransomware payload to run directly in memory without touching the disk, thereby avoiding common security detections. SmokeLoader also maintains communication with its command and control servers using encrypted POST requests, even disguising malicious responses behind HTTP 404 codes.
Suggested Corrections:
To proactively defend against attacks utilizing Agenda ransomware, SmokeLoader, and NETXLOADER, enterprises should implement a comprehensive security strategy that includes the following best practices:
https://www.trendmicro.com/en_us/re...adds-smokeloader-and-netxloader-to-their.html
Trend Micro researchers have uncovered significant developments in the operations of the Agenda ransomware group, also known as Qilin, highlighting their use of the well-known SmokeLoader and a newly identified .NET-based loader named NETXLOADER. Active since July 2022, Agenda has continually evolved, recently transitioning its ransomware codebase from Go to Rust, and expanding its capabilities with features like remote execution, virtual environment propagation, and advanced evasion techniques. In Q1 2025, the group targeted organizations in the healthcare, technology, finance, and telecommunications sectors across the US, the Netherlands, Brazil, India, and the Philippines.
NETXLOADER, protected by .NET Reactor 6, plays a central role in delivering ransomware payloads. It is highly obfuscated, uses JIT hooking to load MSIL bytecode at runtime, and dynamically resolves Windows API calls to evade detection. Payloads are downloaded from disposable domains with benign-looking names and are renamed post-deployment using systematic naming conventions to avoid raising alarms. The loader decrypts and decompresses its payloads using AES and GZip, allocates memory, and executes the final malware, either Agenda ransomware or SmokeLoader directly in memory. SmokeLoader, once deployed, performs several stages of execution involving anti-debugging, anti-analysis, and sandbox evasion techniques. It checks for virtual environments, debugger presence, and specific regional settings to determine if it should proceed.
Security Officer Comments:
NETXLOADER and SmokeLoader work in tandem to execute Agenda ransomware attacks. The attackers utilize a reflective DLL loading technique, enabling the ransomware payload to run directly in memory without touching the disk, thereby avoiding common security detections. SmokeLoader also maintains communication with its command and control servers using encrypted POST requests, even disguising malicious responses behind HTTP 404 codes.
Suggested Corrections:
To proactively defend against attacks utilizing Agenda ransomware, SmokeLoader, and NETXLOADER, enterprises should implement a comprehensive security strategy that includes the following best practices:
- Access control: Limit administrative rights and access privileges to employees only when necessary. Regularly review and adjust permissions to minimize the risk of unauthorized access.
- Regular updates and scanning: Ensure that all security software is updated regularly and conduct periodic scans to identify vulnerabilities. Use endpoint security solutions to detect and block malicious components and suspicious behavior.
- Data backup: Regularly back up critical data and implement a robust recovery plan. This will be a failsafe measure against data loss in a ransomware attack.
- Email and web safety: Exercise caution with email and web practices. Avoid downloading attachments, clicking on links, or installing applications unless the source is verified and trusted. Implement web filtering to restrict access to known malicious websites.
- User education: Conduct regular training sessions for employees on recognizing social engineering tactics and the dangers of phishing. This awareness can significantly reduce the likelihood of falling victim to such attacks.
- Multilayered security approach: Adopt a multilayered defense strategy that includes endpoint, email, web, and network security. This approach will help protect against potential entry points into the system and enhance overall threat detection capabilities.
- Sandboxing and application control: Use sandboxing tools to analyze files before they are executed, ensuring that any suspicious files are scanned for potential threats. Enforce application control policies to prevent the execution of unauthorized applications and scripts.
- Monitoring for abnormal activity: Implement security information and event management (SIEM) tools to monitor for unusual script executions and outbound connections. This proactive monitoring can help identify and mitigate threats before they escalate.
https://www.trendmicro.com/en_us/re...adds-smokeloader-and-netxloader-to-their.html